Automatic Forwarding Risks & How to Disable It

Welcome back to my Exchange Online training series. In today’s session we’ll dive into Automatic Forwarding Risks & How to Disable It, a critical topic for every Microsoft 365 administrator. If you’ve ever discovered sensitive email threads quietly leaving your tenant, you already know why this matters. Attackers love auto‑forwarding; well‑meaning users accidentally create shadow‑IT mail flows; and compliance teams need provable controls.

By the end of this lesson, you’ll understand why automatic forwarding is risky, exactly how Exchange Online handles it, and multiple hardened ways to disable or safely allow it—with both Admin Center steps and PowerShell.

Why Automatic Forwarding Is Risky

Let’s start with strategy before toggling settings. Automatic Forwarding Risks & How to Disable It is about stopping silent data egress. The main risks are:

• Credential theft & mailbox rules abuse: Compromised accounts often have inbox rules created to forward copies of messages externally. This gives attackers long‑term visibility with minimal noise.
• Unapproved data sharing: Users sometimes forward business mail to personal accounts for convenience, creating regulatory, privacy, and IP protection issues.
• Loss of audit boundaries: Once mail leaves your tenant, you lose retention, eDiscovery, and DLP control.
• Legal exposure: Automatic forwarding can violate contractual, industry, or regional data handling requirements (think finance, healthcare, or public sector).
• Shadow archiving: “I forward everything to Gmail to keep a backup.” That’s shadow IT with legal and security exposure.

Bottom line: treat external auto‑forwarding as deny-by-default, and permit only via documented, approved exceptions.

Where Auto‑Forwarding Comes From

If we want to disable it correctly, we must know every entry point:

User‑initiated sources

• Outlook/OWA Inbox rules: “Forward to” or “Redirect to” actions.
• Outlook Forwarding settings (under Mail > Forwarding in OWA).
• Delegates or shared mailbox workflows that add forwarding rules.

Admin‑initiated/system sources

• Mailbox‑level ForwardingAddress or ForwardingSmtpAddress set by admins.
• Transport (mail flow) rules that redirect or BCC to external recipients.
• Connectors or Remote Domain settings that allow forwarding.
• Outbound spam policy forwarding controls.
• Third‑party migration/archiving tools configured to relay copies outward.

Our controls need to cover all of those channels, not just a single toggle.

Control Layers in Exchange Online

Think in layers—this is key to mastering Automatic Forwarding Risks & How to Disable It:

1. Outbound spam filter policy (EOP / Defender for Office 365): Global switch for automatic forwarding to external recipients—On, Off, or “Automatic (recommended)” which blocks external automatically except for approved scenarios.
2. Transport (mail flow) rules: Enforce policy patterns, create block/allow logic, and log exceptions.
3. Remote Domains: Decide whether automatic forwards are allowed to specific external domains.
4. Mailbox‑level settings: Disable or clear forwarding at the mailbox object and scan for inbox rules.
5. Client controls: Block or detect from OWA/Outlook rule creation perspective (enforcement is still server-side).
6. Detection & response: Alerts, hunting queries, and auditing for any new forwarding rules or anomalous egress.

Use several layers together for proper defense‑in‑depth.

Fast Wins: Stop External Auto‑Forwarding in Minutes

When time is tight, here’s the fastest secure baseline:

Step A — Set outbound spam policy to block automatic forwarding externally

• Admin Center: Microsoft 365 Defender → Email & collaboration → Policies & rules → Threat policies → Anti‑spam outbound policy
• Set Automatic forwarding to Off for the default outbound policy (or create a stricter custom policy and scope it to all users).

Step B — Add a transport rule to hard‑block unexpected forwards

Create a rule: If message type is Auto‑forward, reject with explanation and log. This captures edge cases and produces user‑friendly NDRs.

Step C — Review & clear mailbox‑level forwarding + inbox rules

Run a script to list/disable any existing mailbox forwarding or suspicious rules (examples in the PowerShell section).

That trio closes 90% of gaps quickly.

Admin Center Walkthroughs (Modern Experience)

Let’s do this the way you’ll teach your helpdesk and junior admins.

1. Disable external auto‑forwarding via Outbound Spam Policy

1. Go to security.microsoft.com
2. Email & collaboration → Policies & rules → Threat policies → Anti‑spam
3. Open Outbound spam filter policy (Default)
4. Find Automatic forwarding and set: Off – disable automatic external forwarding
5. Save.

This setting alone prevents most user‑created inbox rules from forwarding mail outside the tenant.

2. Create a transport rule to block (and message) users

1. Exchange admin center → Mail flow → Rules → Add rule
2. Name: Block External Auto‑Forward
3. Condition: Message type → Auto‑forward
4. Action: Reject the message with the explanation: “External automatic forwarding is not permitted by policy. Contact IT for approved exceptions.”
5. Mode: Enforce
6. Save.

This provides a clear NDR and central logging. It also protects you if someone tries to bypass the outbound spam policy via connectors.

3. Restrict Remote Domains (optional but strong)

1. Exchange admin center → Mail flow → Remote domains
2. For Default, set Allow automatic forwarding to Never.
3. For any approved partner domain, create a dedicated remote domain and (optionally) set to Allow, but only after formal approval.

This gives you domain‑level granularity.

4. Disable mailbox‑level forwarding (bulk approach)

For individual exceptions you might allow it, but for general users, keep it off. We’ll automate this in PowerShell next.

PowerShell Command

Here’s your ready‑to‑run toolkit for Automatic Forwarding Risks & How to Disable It.

Connect to Exchange Online

Connect-ExchangeOnline

1. Block external automatic forwarding in outbound policy

# View current outbound policies

Get-HostedOutboundSpamFilterPolicy | ft Name,AutoForwardingMode

# Set default policy to Off (block external auto-forwarding)

Set-HostedOutboundSpamFilterPolicy -Identity "Default" -AutoForwardingMode Off

Values: On, Off, or Automatic (Microsoft’s recommended setting that blocks most external auto-forward unless explicitly allowed). I recommend Off for strict environments.

2. Create a transport rule to block auto‑forwarded messages

New-TransportRule -Name “Block External Auto-Forward” </span></div><div class="scriptor-paragraph"><span attribution="{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;userInfo&quot;:{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;},&quot;timestamp&quot;:1771402800000,&quot;dataSource&quot;:0}"> </span><span attribution="{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;userInfo&quot;:{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;},&quot;timestamp&quot;:1771402800000,&quot;dataSource&quot;:0}">-</span><span attribution="{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;userInfo&quot;:{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;},&quot;timestamp&quot;:1771402800000,&quot;dataSource&quot;:0}">MessageTypeMatches</span><span attribution="{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;userInfo&quot;:{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;},&quot;timestamp&quot;:1771402800000,&quot;dataSource&quot;:0}"> </span><span attribution="{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;userInfo&quot;:{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;},&quot;timestamp&quot;:1771402800000,&quot;dataSource&quot;:0}">AutoForward</span><span attribution="{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;userInfo&quot;:{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;},&quot;timestamp&quot;:1771402800000,&quot;dataSource&quot;:0}">

-RejectMessageReasonText “External automatic forwarding is not permitted. Contact IT for an exception.”

Optional: apply only when Outside the organization:

Set-TransportRule "Block External Auto-Forward" -SentToScope NotInOrganization

3. Disable automatic forwarding on the Default Remote Domain

Set-RemoteDomain Default -AutoForwardEnabled $false

Allow for a specific partner (use sparingly):

New-RemoteDomain -Name "PartnerCo" -DomainName "partnerco.com"

Set-RemoteDomain -Identity "PartnerCo" -AutoForwardEnabled $true

4. Find and remove mailbox‑level forwarding

# List all mailboxes with any forwarding set

Get-Mailbox -ResultSize Unlimited |

Where-Object { $.ForwardingAddress -or $.ForwardingSmtpAddress } |

Select-Object DisplayName,PrimarySmtpAddress,ForwardingAddress,ForwardingSmtpAddress

# Disable mailbox forwarding (bulk)

Get-Mailbox -ResultSize Unlimited |

Where-Object { $.ForwardingAddress -or $.ForwardingSmtpAddress } |

ForEach-Object { Set-Mailbox $_.Identity -ForwardingAddress $null -ForwardingSmtpAddress $null -DeliverToMailboxAndForward $false }

5. Hunt for suspicious inbox rules that forward externally

# WARNING: This can be intensive in large tenants; scope by department or pilot group first.

Get-Mailbox -ResultSize Unlimited | ForEach-Object {

    $mbx = $.PrimarySmtpAddress

    $rules = Get-InboxRule -Mailbox $.Identity -ErrorAction SilentlyContinue

    foreach ($r in $rules) {

        if ($r.ForwardTo -or $r.RedirectTo -or $r.ForwardAsAttachmentTo) {

            [pscustomobject]@{

                Mailbox = $mbx

                RuleName = $r.Name

                ForwardTo = ($r.ForwardTo | ForEach-Object {$.AddressString}) -join ‘;’

                RedirectTo = ($r.RedirectTo | ForEach-Object {$.AddressString}) -join ‘;’

                Enabled = $r.Enabled

            }

        }

    }

} | Export-Csv .\ForwardingRulesReport.csv -NoTypeInformation

Remove a specific rule:

Remove-InboxRule -Mailbox user@contoso.com -Identity “Forward All”

6. Disable forwarding from OWA user setting (prevent at server)

There isn’t a single OWA toggle for this—the outbound policy + transport rule are the enforcement points. You can also remove the forwarding value at mailbox level:

Set-Mailbox user@contoso.com -ForwardingAddress $null -ForwardingSmtpAddress $null

Exceptions: How to Allow Specific, Approved Forwarding

Sometimes the business truly needs forwarding (e.g., a shared mailbox relays to a secure ticketing system, or a regulated archive). Here’s a controlled exception pattern:

1. Create a dedicated security group (e.g., AutoForward_Approved).
2. Scope a custom transport rule:
   • If MessageTypeMatches = AutoForward
   • And Sender is member of AutoForward_Approved
   • Bypass the block (or route to a specific connector).
3. Limit by domain with Remote Domains—only allow partnerco.com, deny the rest.
4. Document the business justification, owner, expiry date, and review quarterly.
5. Monitor with alerts (see next section).

Transport rule example (allow for group members):

New-TransportRule -Name “Allow External Auto-Forward for Approved Group” </span></div><div class="scriptor-paragraph"><span attribution="{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;userInfo&quot;:{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;},&quot;timestamp&quot;:1771402800000,&quot;dataSource&quot;:0}"> </span><span attribution="{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;userInfo&quot;:{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;},&quot;timestamp&quot;:1771402800000,&quot;dataSource&quot;:0}">-</span><span attribution="{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;userInfo&quot;:{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;},&quot;timestamp&quot;:1771402800000,&quot;dataSource&quot;:0}">MessageTypeMatches</span><span attribution="{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;userInfo&quot;:{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;},&quot;timestamp&quot;:1771402800000,&quot;dataSource&quot;:0}"> </span><span attribution="{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;userInfo&quot;:{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;},&quot;timestamp&quot;:1771402800000,&quot;dataSource&quot;:0}">AutoForward</span><span attribution="{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;userInfo&quot;:{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;},&quot;timestamp&quot;:1771402800000,&quot;dataSource&quot;:0}">

-SenderMemberOf “AutoForward_Approved” </span></div><div class="scriptor-paragraph"><span attribution="{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;userInfo&quot;:{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;},&quot;timestamp&quot;:1771402800000,&quot;dataSource&quot;:0}"> </span><span attribution="{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;userInfo&quot;:{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;},&quot;timestamp&quot;:1771402800000,&quot;dataSource&quot;:0}">-</span><span attribution="{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;userInfo&quot;:{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;},&quot;timestamp&quot;:1771402800000,&quot;dataSource&quot;:0}">SetAuditSeverity</span><span attribution="{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;userInfo&quot;:{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;},&quot;timestamp&quot;:1771402800000,&quot;dataSource&quot;:0}"> </span><span attribution="{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;userInfo&quot;:{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;},&quot;timestamp&quot;:1771402800000,&quot;dataSource&quot;:0}">High</span><span attribution="{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;userInfo&quot;:{&quot;name&quot;:&quot;Copilot&quot;,&quot;oid&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;,&quot;id&quot;:&quot;E64C3D4F-5E12-4514-AD9B-893A6FAFD00C&quot;},&quot;timestamp&quot;:1771402800000,&quot;dataSource&quot;:0}">

-Mode Enforce -Comments “Approved exception with quarterly review; owner: IT Security”

Place this above the block rule in priority order.

Detect, Investigate, and Alert on Forwarding

Automatic Forwarding Risks & How to Disable It isn’t complete without detection and response.

• Alerts (Microsoft 365 Defender / Purview)
  • Enable User forwarded mail to external alert.
  • Monitor for new inbox rules, new forwarding, or significant external recipient spikes.
• Threat hunting
  • Search for inbox rules created by non‑owner or impossible travel + new rules patterns.
• Mailbox auditing
  • Ensure mailbox audit logging is on (it is by default in modern tenants).
• Quarantine review
  • When forwarding is blocked, some systems may generate automated NDRs or quarantined copies; monitor for noise and tune rules.

Security teams should triage any newly discovered forwarding rules as potential account compromise unless proven otherwise.

Compliance & Governance Considerations

When you present policy changes, align them with governance:

• DLP (Data Loss Prevention): Combine forwarding blocks with DLP policies so even allowed exceptions won’t forward sensitive info (e.g., financial, PII, PHI).
• Sensitivity labels: Use Microsoft Purview Information Protection to encrypt messages—forwarding becomes useless outside trusted boundaries.
• Retention: Forwarding undermines retention/eDiscovery. Keep content within tenant.
• Insider risk management: Forwarding to personal addresses can be an early insider risk signal.
• Partner governance: If you must allow a partner, ensure contractual controls, security posture checks, and least‑privilege scoping.

Troubleshooting: “Why Was My Forward Blocked?”

Users will ask, so here’s your quick diagnostic flow:

1. Check outbound spam policy – is AutoForwardingMode Off/Automatic?
2. Open message trace (Exchange online→ Mail flow → Message trace)
   • Review the status if mails is getting forwarded here you can see.
3. Review transport rules priority – did the Block rule supersede your allow‑list?
4. Remote domain – is AutoForwardEnabled $false for Default or the target domain?
5. Mailbox forwarding – does the mailbox have ForwardingAddress or Inbox rules?
6. Connector path – if a line‑of‑business app relays mail, confirm connector configuration isn’t dropping messages due to policy mis‑match.

Provide a friendly NDR template so users know where to file exceptions with business justification.

Best Practices & Operational Playbook

Here’s my concise checklist you can paste into your SOP:

1. Deny by default: Block external auto‑forwarding globally via Outbound spam policy.
2. Enforce with transport rules: Add a Block External Auto‑Forward rule (message type = Auto‑forward).
3. Limit destinations: Use Remote Domains to allow only named partners.
4. Harden mailboxes:
   • Clear ForwardingAddress/ForwardingSmtpAddress monthly.
   • Audit and remove suspicious Inbox rules.
5. Use exception governance:
   • Security group gated, ticket‑based approvals, expiry dates, quarterly review.
6. Visibility & alerts:
   • Enable Defender/Purview alerts for new forwarding rules and external egress spikes.
7. Combine with DLP & labels: Encrypt sensitive mail; block forwarding of protected data.
8. Educate users: Replace forwarding with shared mailboxes, delegation, or guest access in Teams/SharePoint.
9. Document everything: Policy statement, rationale, exception list, owners, and change logs.
10. Test in a pilot: Stage changes with a test group; validate with message trace and sample NDRs.

Final Thoughts

You’ve now mastered Automatic Forwarding Risks & How to Disable It from strategy to execution. With outbound spam policy, transport rules, remote domains, mailbox hardening, and robust detection, you shut the door on one of the most abused data‑exfiltration paths in Exchange Online—while still enabling tightly‑governed, auditable exceptions when the business truly needs them.

As you continue through my Exchange Online series, remember: great administration combines security by default, measured exceptions, and clear user guidance. If you want, I can package this lesson as: